US11849045B2ActiveUtilityPatentIndex 61
Controlling verification of key-value stores
Assignee: MICROSOFT TECHNOLOGY LICENSING LLCPriority: Jun 30, 2016Filed: Jul 10, 2019Granted: Dec 19, 2023
Est. expiryJun 30, 2036(~10 yrs left)· nominal 20-yr term from priority
Inventors:ARASU ARVINDEGURO KENNETHKAUSHIK RAGHAVKOSSMANN DONALDRAMAMURTHY RAVISHANKARMENG PINGFANPANDEY VINEET
H04L 9/3234G06F 16/00G06F 21/645G06F 21/78H04L 9/3236H04L 9/3242
61
PatentIndex Score
0
Cited by
16
References
20
Claims
Abstract
Deferred verification of the integrity of data operations over a set of data that is hosted at an untrusted module (UM) is controlled. The controlling includes generating a request for a data operation on the set of data. The request includes an authentication portion. The request is sent to the UM. A response to the request is received from the UM. The response includes cryptographic verification information attesting the integrity of the data operation with respect to prior data operations on the set of data. The response includes results from deferred verification at a trusted module (TM).
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A method comprising:
receiving requests provided by a client to perform multiple data operations on a set of data within a trusted module, the trusted module sharing a cryptographic key with the client;
performing the multiple data operations within the trusted module;
after performing the multiple data operations within the trusted module, performing deferred verification of the multiple data operations performed within the trusted module;
in an instance where the deferred verification succeeds, generating cryptographic verification information using the cryptographic key, the cryptographic verification information attesting to integrity of the multiple data operations performed within the trusted module; and
outputting the cryptographic verification information and results of the multiple data operations performed within the trusted module,
wherein the multiple data operations are performed by the trusted module on a key-value store prior to initiating the deferred verification, the multiple data operations include at least one of an insert operation, a lookup operation, a delete operation, or an update operation, and the deferred verification attests to integrity of the multiple data operations on the key-value store.
2. The method of claim 1 , further comprising:
in another instance when the deferred verification fails, resorting to a previously-verified backup of the set of data.
3. The method of claim 2 , wherein the performing the deferred verification comprises:
maintaining a read set for the multiple data operations and a write set for the multiple data operations.
4. The method of claim 3 , further comprising:
determining that the deferred verification succeeds when the read set matches the write set.
5. The method of claim 4 , further comprising:
determining that the deferred verification fails when the read set does not match the write set.
6. The method of claim 5 , further comprising:
writing data of the write set to verified memory cells; and
reading the data of the read set from the verified memory cells.
7. The method of claim 1 , wherein the trusted module comprises a secure hardware circuit.
8. The method of claim 7 , the secure hardware circuit comprising a field-programmable gate array.
9. The method of claim 1 , wherein the multiple data operations include the insert operation on the key-value store, the lookup operation on the key-value store, the delete operation on the key-value store, and the update operation on the key-value store.
10. The method of claim 9 , wherein the insert operation, the lookup operation, the delete operation, and the update operation are performed by the trusted module prior to initiating the deferred verification, and the deferred verification attests to integrity of the key-value store after the insert operation, the lookup operation, the delete operation, and the update operation are performed by the trusted module.
11. A trusted module comprising:
a cryptographic key shared with a client; and
logic circuitry configured to:
receive requests provided by the client to perform multiple data operations on a set of data within the trusted module;
perform the multiple data operations within the trusted module;
after performing the multiple data operations within the trusted module, perform deferred verification of the multiple data operations performed within the trusted module;
in an instance where the deferred verification succeeds, generate cryptographic verification information using the cryptographic key, the cryptographic verification information attesting to integrity of the multiple data operations performed within the trusted module; and
output the cryptographic verification information and results of the multiple data operations performed within the trusted module,
wherein the multiple data operations are performed by the trusted module on a key-value store prior to initiating the deferred verification, the multiple data operations include at least one of an insert operation, a lookup operation, a delete operation, or an update operation, and the deferred verification attests to integrity of the multiple data operations on the key-value store.
12. The trusted module of claim 11 , wherein the logic circuitry is further configured to:
in another instance when the deferred verification fails, resort to a previously-verified backup of the set of data.
13. The trusted module of claim 12 , wherein the logic circuitry is further configured to:
maintain a read set for the multiple data operations and a write set for the multiple data operations.
14. The trusted module of claim 13 , wherein the logic circuitry is further configured to:
determine that the deferred verification succeeds when the read set matches the write set.
15. The trusted module of claim 14 , wherein the logic circuitry is further configured to:
determine that the deferred verification fails when the read set does not match the write set.
16. The trusted module of claim 15 , wherein the logic circuitry is further configured to:
write data of the write set to verified memory cells; and
read the data of the read set from the verified memory cells.
17. The trusted module of claim 11 , implemented as a field-programmable gate array.
18. The trusted module of claim 11 , implemented in a central processing unit.
19. The trusted module of claim 11 , implemented within a secure enclave provided by a central processing unit.
20. A computer-readable storage medium storing instructions which, when executed by a programmable processor or a hardware logic component, implement trusted functionality configured to:
receive requests provided by a client to perform multiple data operations on a set of data within the trusted functionality, the trusted functionality sharing a cryptographic key with the client;
perform the multiple data operations within the trusted functionality;
after performing the multiple data operations within the trusted functionality, perform deferred verification of the multiple data operations performed within the trusted functionality;
in an instance where the deferred verification succeeds, generate cryptographic verification information using the cryptographic key, the cryptographic verification information attesting to integrity of the multiple data operations performed within the trusted functionality; and
output the cryptographic verification information and results of the multiple data operations performed within the trusted functionality,
wherein the multiple data operations are performed by the trusted functionality on a key-value store prior to initiating the deferred verification, the multiple data operations include at least one of an insert operation, a lookup operation, a delete operation, or an update operation, and the deferred verification attests to integrity of the multiple data operations on the key-value store.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.